ASA certificate
key pair
Display current key pair
ASAv921# show crypto key mypubkey rsa
Remove a key pair
ASAv921(config)# crypto key zeroize rsa label ASA921
WARNING: Keys to be removed are named 'ASA921'.
WARNING: All device digital certificates issued using these keys will also be removed and
the associated trustpoints may not function correctly.
Do you really want to remove these keys? [yes/no]: yes
ASAv921(config)#
Generate general key pair
ASAv921(config)# crypto key generate rsa
WARNING: You have a RSA keypair already defined named .
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
ASAv921(config)#
Generate key pair and assign it a label
ASAv921(config)# crypto key generate rsa label mykeypair
INFO: The name for the keys will be: mykeypair
Keypair generation process begin. Please wait...
ASAv921(config)#
Trustpoint
A trustpoint just a container in which certificates are stored. A trust point can hold up to two certificates.
- An identity certificate (a certificate that the router owns the corresponding private key)
- A certificate authority certificate (a certificate that is signed by another party. The router doesn't own the matching private key)
Create the trustpoin
ASAv921(config)# crypto ca trustpoint sslvpn.trusttpoint
ASAv921(config-ca-trustpoint)# subject-name CN=sslvpn.trustynet.com,OU=IT,O=Trustynet Inc.,C=CA,St=ON,L=Toronto
ASAv921(config-ca-trustpoint)# keypair sslvpnkeypair
ASAv921(config-ca-trustpoint)# fqdn sslvpn.trustynet.com
ASAv921(config-ca-trustpoint)# enrollment terminal
ASAv921(config-ca-trustpoint)# exit
Generate CSR
ASAv921(config)# crypto ca enroll sslvpn.trusttpoint
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% Start certificate enrollment ..
% The subject name in the certificate will be: CN=sslvpn.trustynet.com,OU=IT,O=Trustynet Inc.,C=CA,St=ON,L=Toronto
% The fully-qualified domain name in the certificate will be: sslvpn.trustynet.com
% Include the device serial number in the subject name? [yes/no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
MIICGTCCAYICAQAwgZYxEDAOBgNVBAcTB1Rvcm9udG8xCzAJBgNVBAgTAk9OMQsw
CQYDVQQGEwJDQTEXMBUGA1UEChMOVHJ1c3R5bmV0IEluYy4xCzAJBgNVBAsTAklU
MR0wGwYDVQQDExRzc2x2cG4udHJ1c3R5bmV0LmNvbTEjMCEGCSqGSIb3DQEJAhYU
c3NsdnBuLnRydXN0eW5ldC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ALotNHRasbUKVrFIMxWLOJxHdOhScf9I1LePnAW1rvCMS9FZPp7uu6Fi2wmAJulL
GInB/1kpCxMIbILUbZK/Fa0K5hSrWWoUQ2beofLdmqSTZcHtlXwQsTvaZtKQ0wxx
2IWrIeS/56Y6UFFVxB8ptGvTHPt0ID4tLTQpJ9XuqOOdAgMBAAGgQjBABgkqhkiG
9w0BCQ4xMzAxMA4GA1UdDwEB/wQEAwIFoDAfBgNVHREEGDAWghRzc2x2cG4udHJ1
c3R5bmV0LmNvbTANBgkqhkiG9w0BAQUFAAOBgQArOt8r2i9d9ChFaHN5e6T0vx35
AkuvEaNoe2mdpYOgXw+13NLx+Ut/e6WIH+7ZfTTNB2r6/z/J3+j2eZFbdV8GsRBH
0GOPI7b8vwlfT77z7FoXKhhzqxk/kLkt+rxoHNuSMuk0b4l5kJmNg17GPhLRpey4
yXi9B/EALd0s8BLBcw==
-----END CERTIFICATE REQUEST-----
Redisplay enrollment request? [yes/no]: no
ASAv921(config)#
(Optional) Import intermidiate certificate
If the CA provides a CA certificate chain, only install the immediate
intermediate CA certificate in the hierarchy on the trustpoint used to
generate the CSR. The Root CA certificate and any other intermediate CA
certificates can be installed in new trustpoints.
ASAv921(config)# crypto ca authenticate sslvpn.trusttpoint
Import the certificate
ASAv921(config)# crypto ca import sslvpn.trusttpoint certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name in the certificate will be: sslvpn.trustynet.com
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIEnDCCBAWgAwIBAgIKH7tiHgAAAAAACzANBgkqhkiG9w0BAQUFADBSMRMwEQYK
CZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJdHJ1c3R5bmV0MSAwHgYD
VQQDExd0cnVzdHluZXQtV0lOMks4LUlOVC1DQTAeFw0xNjA0MjIwMTMzMDVaFw0x
ODA0MjIwMTMzMDVaMHExCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJPTjEQMA4GA1UE
BxMHVG9yb250bzEXMBUGA1UEChMOVHJ1c3R5bmV0IEluYy4xCzAJBgNVBAsTAklU
MR0wGwYDVQQDExRzc2x2cG4udHJ1c3R5bmV0LmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAui00dFqxtQpWsUgzFYs4nEd06FJx/0jUt4+cBbWu8IxL0Vk+
nu67oWLbCYAm6UsYicH/WSkLEwhsgtRtkr8VrQrmFKtZahRDZt6h8t2apJNlwe2V
fBCxO9pm0pDTDHHYhash5L/npjpQUVXEHym0a9Mc+3QgPi0tNCkn1e6o450CAwEA
AaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAfBgNVHREEGDAWghRzc2x2cG4udHJ1
c3R5bmV0LmNvbTAdBgNVHQ4EFgQUbihj8VivD0PW5myCDwdYcEZaHg4wHwYDVR0j
BBgwFoAU2QN6iLIgVXq0+tRHcQbthVhW2iMwgdoGA1UdHwSB0jCBzzCBzKCByaCB
xoaBw2xkYXA6Ly8vQ049dHJ1c3R5bmV0LVdJTjJLOC1JTlQtQ0EsQ049V0lOMks4
LUlOVCxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
ZXMsQ049Q29uZmlndXJhdGlvbixEQz10cnVzdHluZXQsREM9Y29tP2NlcnRpZmlj
YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Qb2ludDCBywYIKwYBBQUHAQEEgb4wgbswgbgGCCsGAQUFBzAChoGrbGRhcDov
Ly9DTj10cnVzdHluZXQtV0lOMks4LUlOVC1DQSxDTj1BSUEsQ049UHVibGljJTIw
S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10
cnVzdHluZXQsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1j
ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBl
AHIAdgBlAHIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA
vGdOjIhSnD0kBZE73CJduJCFsO7bfvRVuG4RQXsO/boVwUNu+Ky/Irio4E/PTI10
DjNrw6cotlpIVOPzYbVl03sTtJ/gWe21OvgRZioym7Riai5N1hXKoRh9agh2F/gY
CWT74zLZUoVkHbETABLV+Ol0K0LfuZfy6jUYLh2eMAc=
-----END CERTIFICATE-----
quit
INFO: Certificate successfully imported
ASAv921(config)#
Enable the certificate on outside interface
ASAv921(config)# ssl trust-point sslvpn.trusttpoint outside
ASAv921(config)# wr mem
Building configuration...
Cryptochecksum: aebcb75f 6d23e656 cd1f6dbe 3aa9ef39
6905 bytes copied in 0.60 secs
[OK]
ASAv921(config)#
Display the certificate infomation
ASAv921# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 1fbb621e00000000000b
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=trustynet-WIN2K8-INT-CA
dc=trustynet
dc=com
Subject Name:
cn=sslvpn.trustynet.com
ou=IT
o=Trustynet Inc.
l=Toronto
st=ON
c=CA
CRL Distribution Points:
[1] ldap:///CN=trustynet-WIN2K8-INT-CA,CN=WIN2K8-INT,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=trustynet,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:33:05 UTC Apr 22 2016
end date: 01:33:05 UTC Apr 22 2018
Associated Trustpoints: sslvpn.trusttpoint
ASAv921#
Display certificate in PEM format
ASAv921(config)# crypto ca export sslvpn.trusttpoint identity-certificate
The PEM encoded identity certificate follows:
-----BEGIN CERTIFICATE-----
MIIEnDCCBAWgAwIBAgIKH7tiHgAAAAAACzANBgkqhkiG9w0BAQUFADBSMRMwEQYK
CZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJdHJ1c3R5bmV0MSAwHgYD
VQQDExd0cnVzdHluZXQtV0lOMks4LUlOVC1DQTAeFw0xNjA0MjIwMTMzMDVaFw0x
ODA0MjIwMTMzMDVaMHExCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJPTjEQMA4GA1UE
BxMHVG9yb250bzEXMBUGA1UEChMOVHJ1c3R5bmV0IEluYy4xCzAJBgNVBAsTAklU
MR0wGwYDVQQDExRzc2x2cG4udHJ1c3R5bmV0LmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAui00dFqxtQpWsUgzFYs4nEd06FJx/0jUt4+cBbWu8IxL0Vk+
nu67oWLbCYAm6UsYicH/WSkLEwhsgtRtkr8VrQrmFKtZahRDZt6h8t2apJNlwe2V
fBCxO9pm0pDTDHHYhash5L/npjpQUVXEHym0a9Mc+3QgPi0tNCkn1e6o450CAwEA
AaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAfBgNVHREEGDAWghRzc2x2cG4udHJ1
c3R5bmV0LmNvbTAdBgNVHQ4EFgQUbihj8VivD0PW5myCDwdYcEZaHg4wHwYDVR0j
BBgwFoAU2QN6iLIgVXq0+tRHcQbthVhW2iMwgdoGA1UdHwSB0jCBzzCBzKCByaCB
xoaBw2xkYXA6Ly8vQ049dHJ1c3R5bmV0LVdJTjJLOC1JTlQtQ0EsQ049V0lOMks4
LUlOVCxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
ZXMsQ049Q29uZmlndXJhdGlvbixEQz10cnVzdHluZXQsREM9Y29tP2NlcnRpZmlj
YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Qb2ludDCBywYIKwYBBQUHAQEEgb4wgbswgbgGCCsGAQUFBzAChoGrbGRhcDov
Ly9DTj10cnVzdHluZXQtV0lOMks4LUlOVC1DQSxDTj1BSUEsQ049UHVibGljJTIw
S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10
cnVzdHluZXQsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1j
ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBl
AHIAdgBlAHIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA
vGdOjIhSnD0kBZE73CJduJCFsO7bfvRVuG4RQXsO/boVwUNu+Ky/Irio4E/PTI10
DjNrw6cotlpIVOPzYbVl03sTtJ/gWe21OvgRZioym7Riai5N1hXKoRh9agh2F/gY
CWT74zLZUoVkHbETABLV+Ol0K0LfuZfy6jUYLh2eMAc=
-----END CERTIFICATE-----
ASAv921(config)#
Export key and certificate in PKSC12 format with password protection
ASAv921(config)# crypto ca export sslvpn.trusttpoint pkcs12 mypassword
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIJbwIBAzCCCSkGCSqGSIb3DQEHAaCCCRoEggkWMIIJEjCCCQ4GCSqGSIb3DQEH
BqCCCP8wggj7AgEAMIII9AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIXEyM
AiOifzkCAQGAggjIYyRs5K6mZeUREvFm/QpryelsjpdixG7mBMN51m2yr1S6Utmv
CHJ2sLF2YlBTThmp+GPgTDqhEM6dkP/SLarCfSuCFg5G9RbJi6cgkgtfpUboAdF3
Wk1zctcqka/Vm3JcNq5JPo9RT3TBjD7qzKwpYrDVtxOzOOHCotcDvkgrsUB75YBv
iL1mFsBpLGL8XjEWB92fNAMM49GJWCdsqEqp1FHrK2VjC5cwAM/pZdGJMiic0XsW
5iYuVK51Vqypitr4StYDXTc5XE2oM01zxT4ntDcZ997ZhiescQjboEo9BbwEcRNP
75e1pEJAAKmie4KZtgH1funifXbCPIit41VORnibUI38aagnGaCpRX0ePbknA14Z
5CbdBchyafsHgRrlKZr3BmMF0IhRFLAc9ZKyz1LKTRmyU0uoxxQMOFs8GB/9LdHY
zMVKOctEMvmKLTAwH7LNeIOzaFwdA5NI6o91D3Eb07f0ZnmPNR+aI9bwxrOvN3BC
rAsjSuIs/jle3RJVHtgIDwcr8p+dY4PcEmjbB3r8iwFawlbdnpJ7NDdpt9zVkrCO
5NwfrBotqcD5vMZdeSgheqe6TZhMDCV9kRMXiTJBeMcSR7dhaxKqg330XcYe14gV
uFNApfueVCEIRCF1yqEgNpwdMo2ub5aKb54eFyjhEu/+RhKaWOuBB4pP4GF9cOW2
NXuFZP3bVHxdwX+mNganl7oCCDQEV+O4iUkE4soHWyjn+r/FedTbsy7KYH87YYde
6raw9qaADUYekSZyqGOOpAib7wi207rHk7KaQBTv4GWGC66rBxIGjkR7QpmygNSs
FkBoEMxivx5VFcsMOZ0B89xVE4O5WrFW4/k37/KFHaHglz1NIkF4p51xpDF4eRyz
VEblUKs//R5csWkb9BYEWnxxSMti6Jd8pgaKYVYQ2XKqITSfNwyZTxZEEAPq5xnI
8srbomqZ0dK7JuFk/+DiSGp+2zapJDo5fTZf5ad63bkAgvPgJhfc75I+bOIkgZ/8
JoPm/aZuy1CTPTKNVfaKMI+9etIrCClH4XjBfukQxGOM1AndIEZ2qLDlAP+eq5nO
ww1NVLiCg6Cmm1ZjiGA45Ro484Dyjfd8Vzn0ZVsg1UF4PqQkuDXgnDtHYky5X43i
LJXiGq9iufjP6+poG3uK6JjWE8mXWYpYl1XsDHi1z1NNjVLZB26XaP0aVjJ3a800
sGcMk2TkMVC4Nytv3qjWhQCm9tKv00mWuLcjSQe5Vlf2qnUrqIbG0pcs5V8+sQsw
lMwFssY/pJiHLCOSEpo8kBbNPuUIam02TATPHPSmCdvt+/S2rlKhpH3626sIBVcg
t8bYxn0pY2D8FWoCaACxmDRJa0klnKD+RdZbkrWUmD8FYn43sflX8AL/gzS0cJYc
T4oMWxkPsys8S9af6wNeE/qioHIas1BxFJglVBZRl3elQzIDNs6UclHVCb9DZYl8
OxhT3ua3UuWLhy2J8vVVbtBJL+to8RBVHyypPcC72bNL7J+Y0IX9XCaR5S5LfwL3
6zs6eeGcEmOhrhv4XXzQDZcqf++zQz8uFiuPxJ5oMkOHN76Pw6X4gz0wOg2+/g+0
6oULo+c3c2d3IMXHQCgrDETlVhFnRAyumjoi2YQk/vpkSX9VM4FjMvD791x+tXi5
3h5aXapSYfCaQ1b6S0i6uDPwmUXv9XUj+KLugLdJj7uTVXaNHxGA1CSCUB/yWzOC
Q3az9TQMZacbFkrgS4u0yX7I84tfA6/0INiS3ACtEye3WNRU707wu2vtheFUTaKB
W6pE2FGyQ+QhsChNTeyqTTe/f/IMDrLgQlMea/fIcTXZu8E+FMXr3MbI1iqabukU
jr7c9RgEqGmZtxKZkpkCoBsYEUI8OjWrrb3452+4y+s1H7qZ14RYGivrIjYXSJ3o
g9CUMzA9MCEwCQYFKw4DAhoFAAQU1P4l4RWp+qe/DKU0oHZ57QOWV2sEFJiWw3er
ExwYbVFjUbIYuhZPuOiOAgIEAA==
-----END PKCS12-----
ASAv921(config)#
Import key and certificate to trustpoint
ASA expects to import the server certificate in pkcs(.p12) format encoded with base64, we need to take .pfx file and encode in base64 with the following commandor
#openssl base64 -in certificate.pfx -out certificate.p12
Then we need open the file and add the PKCS Header and footer just copy and paste it without leaving any space.
-----BEGIN PKCS12-----
-----END PKCS12-----
Then we need open the file and add the PKCS Header and footer just copy and paste it without leaving any space.
-----BEGIN PKCS12-----
-----END PKCS12-----
ASAv921(config)# crypto ca import sslvpn.trusttpoint pkcs12 mypassword
Renew certificate without changing private key
Verify the private key used by Trustpoint
sh run crypto ca trustpoint
ASAv921(config)# crypto ca import sslvpn.trusttpoint certificate
GUI:
Generate a new Trustpoint CSR with the same key pair, when receive the new certificate, install it.
================================
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html
Comments
Post a Comment